Secure microkernel in a KVM switch offers spy-grade app virtualization

Researchers at Australian think tank Data61 and the nation's Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.

As explained to El Reg by Toby Murray, on behalf of his fellow researcher from Data61’s Trustworthy Systems Team Kevin Elphinstone, workers in secure environments will sometimes have multiple PCs on their desks. Each will be connected to its own network and run apps that live on discrete infrastructure. Those air gaps provide hygiene so that organisations feel satisfied data can't move between applications. To make things a little less cluttered on the physical desktop , keyboard, video and mouse (KVM) switches mean users can share one set of human interface peripherals among multiple PCs.

While KVM switches save clutter, users only see one app at a time. Which isn't great given that sharing data from diverse sources can help the kind of people who need these rigs to do their jobs.

Hence Data61's newly-revealed “Cross-Domain Desktop Compositor” (CDDC), a small piece of hardware that offers the same peripheral-aggregating functionality as a KVM switch but can also publish applications from different machines onto one screen and even allow cut and paste between windows.

The CDDC uses the seL4 microkernel, code that has been mathematically proven free of error and is therefore deployed in environments where reliability and resilience are at a premium.

The CDDC's field-programmable gate array contains seL4 and code to scrape apps from different PCs and publish them into a single screen.

The device's output is just video so even though users see apps from up to four air-gapped PCs or thin clients on on screen, those machines' isolation is preserved.

Policies can be applied so that only the permitted pixels make it off a PC and into the monitor the CDDC drives. Users are also reminded what level of security applies to the app they're working with. Interaction between windows also follows policy - no naughty cutting and pasting from Top Secret to mere For Official Use Only apps allowed!

The Cross-Domain Desktop Compositor's output - several apps on one screen, all rendered as mere pixels

Murray said Data61 built the CDDC because while commercial products can publish apps securely, there are known problems with general-purpose hypervisors. He mentioned Xen's recent woes as one reason sensitive users aren't keen on commercial products.

For now, Murray hopes Australian defence types and government types will be interested in the CDDC. Over time he hopes financial services, medical and energy sector users will appreciate the chance to publish applications in a splendidly paranoid fashion too. ®